Merge pull request #18 from cert-manager/add_timing_test

Add timing test for Check and Sign

Author: jetstack-bot

controllers/combined_controller.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	"k8s.io/utils/clock"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 
 	v1alpha1 "github.com/cert-manager/issuer-lib/api/v1alpha1"
@@ -81,6 +82,14 @@ type CombinedController struct {
 	// controller.
 	DisableKubernetesCSRController bool
 
+	// PreSetupWithManager is an optional function that can be used to perform
+	// additional setup before the controller is built and registered with the
+	// manager.
+	PreSetupWithManager func(context.Context, schema.GroupVersionKind, ctrl.Manager, *builder.Builder) error
+
+	// PostSetupWithManager is an optional function that can be used to perform
+	// additional setup after the controller is built and registered with the
+	// manager.
 	PostSetupWithManager func(context.Context, schema.GroupVersionKind, ctrl.Manager, controller.Controller) error
 }
 
@@ -106,6 +115,7 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 			EventRecorder: r.EventRecorder,
 			Clock:         r.Clock,
 
+			PreSetupWithManager:  r.PreSetupWithManager,
 			PostSetupWithManager: r.PostSetupWithManager,
 		}).SetupWithManager(ctx, mgr); err != nil {
 			return fmt.Errorf("%T: %w", issuerType, err)
@@ -132,6 +142,7 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 				EventRecorder:            r.EventRecorder,
 				Clock:                    r.Clock,
 
+				PreSetupWithManager:  r.PreSetupWithManager,
 				PostSetupWithManager: r.PostSetupWithManager,
 			},
 
@@ -157,6 +168,7 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 				EventRecorder:            r.EventRecorder,
 				Clock:                    r.Clock,
 
+				PreSetupWithManager:  r.PreSetupWithManager,
 				PostSetupWithManager: r.PostSetupWithManager,
 			},
 		}).SetupWithManager(ctx, mgr); err != nil {

controllers/combined_controller_integration_test.go

@@ -19,19 +19,27 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"sync"
 	"testing"
 	"time"
 
 	cmutil "github.com/cert-manager/cert-manager/pkg/api/util"
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	cmgen "github.com/cert-manager/cert-manager/test/unit/gen"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/retry"
+	"k8s.io/client-go/util/workqueue"
 	"k8s.io/utils/clock"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
 
 	v1alpha1 "github.com/cert-manager/issuer-lib/api/v1alpha1"
 	"github.com/cert-manager/issuer-lib/conditions"
@@ -278,3 +286,290 @@ func TestCombinedControllerTemporaryFailedCertificateRequestRetrigger(t *testing
 		})
 	}
 }
+
+func TestCombinedControllerTiming(t *testing.T) { //nolint:tparallel
+	t.Parallel()
+
+	t.Log(
+		"Tests to show that the CertificateRequest controller and Issuer controller call the Check and Sign functions at the correct times",
+	)
+
+	fieldOwner := "failed-certificate-request-should-retrigger-issuer"
+
+	ctx := testcontext.ForTest(t)
+	kubeClients := testresource.KubeClients(t, nil)
+
+	type simulatedCheckResult struct {
+		err error
+	}
+	type simulatedSignResult struct {
+		cert []byte
+		err  error
+	}
+
+	type simulatedResult struct {
+		*simulatedCheckResult
+		*simulatedSignResult
+		expectedSinceLastResult time.Duration
+	}
+
+	type testcase struct {
+		name             string
+		maxRetryDuration time.Duration
+		results          []simulatedResult
+	}
+
+	testcases := []testcase{
+		{
+			name:             "single-error-for-issuer-and-certificate-request",
+			maxRetryDuration: 1 * time.Hour,
+			results: []simulatedResult{
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: nil},
+					expectedSinceLastResult: 200 * time.Millisecond,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: nil, err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: []byte("cert"), err: nil},
+					expectedSinceLastResult: 200 * time.Millisecond,
+				},
+			},
+		},
+		{
+			name:             "double-error-for-issuer-and-certificate-request",
+			maxRetryDuration: 1 * time.Hour,
+			results: []simulatedResult{
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 200 * time.Millisecond,
+				},
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: nil},
+					expectedSinceLastResult: 400 * time.Millisecond,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: nil, err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: nil, err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 200 * time.Millisecond,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: []byte("cert"), err: nil},
+					expectedSinceLastResult: 400 * time.Millisecond,
+				},
+			},
+		},
+		{
+			name:             "single-error-for-issuer-and-certificate-request-reaching-max-retry-duration",
+			maxRetryDuration: 300 * time.Millisecond, // should cause temporary CertificateRequest errors to fail permanently
+			results: []simulatedResult{
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: nil},
+					expectedSinceLastResult: 200 * time.Millisecond,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: nil, err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 0,
+				},
+			},
+		},
+		{
+			name:             "single-pending-error-for-issuer-and-certificate-request-reaching-max-retry-duration",
+			maxRetryDuration: 300 * time.Millisecond, // should cause temporary CertificateRequest errors to fail permanently
+			results: []simulatedResult{
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: fmt.Errorf("[error message]")},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: nil},
+					expectedSinceLastResult: 200 * time.Millisecond,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: nil, err: signer.PendingError{Err: fmt.Errorf("[error message]")}},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: []byte("ok"), err: nil},
+					expectedSinceLastResult: 200 * time.Millisecond,
+				},
+			},
+		},
+		{
+			name:             "fail-issuer-permanently",
+			maxRetryDuration: 1 * time.Hour,
+			results: []simulatedResult{
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: signer.PermanentError{Err: fmt.Errorf("[error message]")}},
+					expectedSinceLastResult: 0,
+				},
+			},
+		},
+		{
+			name:             "trigger-issuer-error-then-recover",
+			maxRetryDuration: 1 * time.Hour,
+			results: []simulatedResult{
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: nil},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: nil, err: signer.IssuerError{Err: fmt.Errorf("[error message]")}},
+					expectedSinceLastResult: 0,
+				},
+				{
+					simulatedCheckResult:    &simulatedCheckResult{err: nil},
+					expectedSinceLastResult: 200 * time.Millisecond,
+				},
+				{
+					simulatedSignResult:     &simulatedSignResult{cert: []byte("ok"), err: nil},
+					expectedSinceLastResult: 0,
+				},
+			},
+		},
+	}
+
+	for _, tc := range testcases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			resultsMutex := sync.Mutex{}
+			resultsIndex := 0
+			results := tc.results
+			durations := make([]time.Time, len(results))
+			errorCh := make(chan error)
+			done := make(chan struct{})
+
+			ctx := setupControllersAPIServerAndClient(t, ctx, kubeClients,
+				func(mgr ctrl.Manager) controllerInterface {
+					return &CombinedController{
+						IssuerTypes:        []v1alpha1.Issuer{&api.TestIssuer{}},
+						ClusterIssuerTypes: []v1alpha1.Issuer{&api.TestClusterIssuer{}},
+						FieldOwner:         fieldOwner,
+						MaxRetryDuration:   tc.maxRetryDuration,
+						Check: func(_ context.Context, _ v1alpha1.Issuer) error {
+							resultsMutex.Lock()
+							defer resultsMutex.Unlock()
+							defer func() { resultsIndex++ }()
+
+							if resultsIndex >= len(results)-1 {
+								if resultsIndex > len(results)-1 {
+									errorCh <- fmt.Errorf("too many calls to Check")
+									return nil
+								}
+								defer close(done)
+							}
+							durations[resultsIndex] = time.Now()
+							if results[resultsIndex].simulatedCheckResult == nil {
+								errorCh <- fmt.Errorf("unexpected call to Check")
+								return nil
+							}
+							return results[resultsIndex].simulatedCheckResult.err
+						},
+						Sign: func(_ context.Context, _ signer.CertificateRequestObject, _ v1alpha1.Issuer) (signer.PEMBundle, error) {
+							resultsMutex.Lock()
+							defer resultsMutex.Unlock()
+							defer func() { resultsIndex++ }()
+
+							if resultsIndex >= len(results)-1 {
+								if resultsIndex > len(results)-1 {
+									errorCh <- fmt.Errorf("too many calls to Sign")
+									return signer.PEMBundle{}, nil
+								}
+								defer close(done)
+							}
+							durations[resultsIndex] = time.Now()
+							if results[resultsIndex].simulatedSignResult == nil {
+								errorCh <- fmt.Errorf("unexpected call to Sign")
+								return signer.PEMBundle{}, nil
+							}
+							result := results[resultsIndex].simulatedSignResult
+							return signer.PEMBundle{
+								ChainPEM: result.cert,
+							}, result.err
+						},
+						EventRecorder: record.NewFakeRecorder(100),
+
+						PreSetupWithManager: func(ctx context.Context, gvk schema.GroupVersionKind, mgr ctrl.Manager, b *builder.Builder) error {
+							b.WithOptions(controller.Options{
+								RateLimiter: workqueue.NewItemExponentialFailureRateLimiter(200*time.Millisecond, 5*time.Second),
+							})
+							return nil
+						},
+					}
+				},
+			)
+
+			t.Logf("Creating a namespace")
+			namespace, cleanup := kubeClients.SetupNamespace(t, ctx)
+			defer cleanup()
+
+			issuer := testutil.TestIssuer(
+				"issuer-1",
+				testutil.SetTestIssuerNamespace(namespace),
+			)
+
+			cr := cmgen.CertificateRequest(
+				"certificate-request-1",
+				cmgen.SetCertificateRequestNamespace(namespace),
+				cmgen.SetCertificateRequestCSR([]byte("doo")),
+				cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{
+					Name:  issuer.Name,
+					Kind:  issuer.Kind,
+					Group: api.SchemeGroupVersion.Group,
+				}),
+			)
+
+			require.NoError(t, kubeClients.Client.Create(ctx, issuer))
+			createApprovedCR(t, ctx, kubeClients.Client, clock.RealClock{}, cr)
+
+			<-done
+			time.Sleep(1 * time.Second)
+			select {
+			case err := <-errorCh:
+				assert.NoError(t, err)
+			default:
+			}
+
+			require.NoError(t, retry.RetryOnConflict(retry.DefaultRetry, func() error {
+				err := kubeClients.Client.Get(ctx, client.ObjectKeyFromObject(cr), cr)
+				if err != nil {
+					return err
+				}
+				return kubeClients.Client.Delete(ctx, cr)
+			}))
+			require.NoError(t, retry.RetryOnConflict(retry.DefaultRetry, func() error {
+				err := kubeClients.Client.Get(ctx, client.ObjectKeyFromObject(issuer), issuer)
+				if err != nil {
+					return err
+				}
+				return kubeClients.Client.Delete(ctx, issuer)
+			}))
+
+			for i := 1; i < len(results); i++ {
+				measuredDuration := durations[i].Sub(durations[i-1])
+				expectedDuration := results[i].expectedSinceLastResult
+
+				require.True(t, expectedDuration-150*time.Millisecond < measuredDuration, "result %d: expected %v, got %v", i, expectedDuration, measuredDuration)
+				require.True(t, expectedDuration+150*time.Millisecond > measuredDuration, "result %d: expected %v, got %v", i, expectedDuration, measuredDuration)
+			}
+		})
+	}
+}

controllers/issuer_controller.go

@@ -73,6 +73,14 @@ type IssuerReconciler struct {
 	// Clock is used to mock condition transition times in tests.
 	Clock clock.PassiveClock
 
+	// PreSetupWithManager is an optional function that can be used to perform
+	// additional setup before the controller is built and registered with the
+	// manager.
+	PreSetupWithManager func(context.Context, schema.GroupVersionKind, ctrl.Manager, *builder.Builder) error
+
+	// PostSetupWithManager is an optional function that can be used to perform
+	// additional setup after the controller is built and registered with the
+	// manager.
 	PostSetupWithManager func(context.Context, schema.GroupVersionKind, ctrl.Manager, controller.Controller) error
 }
 
@@ -265,6 +273,14 @@ func (r *IssuerReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manage
 			nil,
 		)
 
+	if r.PreSetupWithManager != nil {
+		err := r.PreSetupWithManager(ctx, forObjectGvk, mgr, build)
+		r.PreSetupWithManager = nil // free setup function
+		if err != nil {
+			return err
+		}
+	}
+
 	if controller, err := build.Build(r); err != nil {
 		return err
 	} else if r.PostSetupWithManager != nil {